The two types of penetration testing

September 11, 2014

Penetration testing is one of the most critical types of testing an IT department can do. Today, it seems like every week a new data breach is announced at a major company, with hackers stealing hundreds of thousands of passwords, email addresses, and other kinds of customer data.

Recently, The New York Times reported that a Russian crime ring has amassed 1.2 billion user name and password combinations and 500,000 email addresses. Alex Holden, the founder of Hold Security, said that the hackers aren't just targeting the Fortune 500, but companies of all sizes. 

"And most of those sites are still vulnerable," Holden said. 

Breaches like these should be motivation enough for every business to understand the importance of constantly testing their security. While we often think of IT security as a virtual endeavor, true penetration testing seeks vulnerabilities in both virtual and physical IT infrastructure. 

Penetration testing – physical IT infrastructure
IT security starts in the real world. While some IT departments are moving toward cloud based storage and solutions, many still have on-site storage and data facilities. Penetration testing for a physical facility involves having a tester or a team of testers attempt to break into the facility and gain access to the systems. Security Innovation Europe, an agency specializing in IT security, says that testing for physical vulnerabilities is difficult because there is such a wide range of techniques one could use to gain access to the buildings.

Some techniques involve picking locks or disabling cameras in order to enter the facility undetected. This may not be a problem during the work day, but it can highlight deficiencies in security after working hours.

Another more common technique is "social engineering." Penetration testers enter the building, sometimes posing as maintenance, and then ask a receptionist or another employee for access to key applications and equipment so they can compromise it.

Penetration testing – virtual IT infrastructure
Penetration tests of this variety involve a tester attempting to compromise a new or existing web application. They will use any means necessary to gain entry and attack the application. This type of testing can show critical vulnerabilities that the development team can then correct, either for an existing application or one that has yet to be released.

These tests can expose flaws in preventative security – keeping attackers out. What is equally important is that they can show weaknesses in reactive security – removing an attacker who is still inside the system. The ability to quickly respond to these attacks is a crucial part of overall IT security.